Thursday, 29 November 2012
- RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- RE: [webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- Re: [webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter
Wednesday, 28 November 2012
- Re: UI Safety Obstruction check and transforms
- RE: UI Safety Obstruction check and transforms
- Re: UI Safety Obstruction check and transforms
- Re: UI Safety Obstruction check and transforms
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD
Tuesday, 27 November 2012
- Re: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- RE: [webappsec] Call for Consensus: CSP 1.1 to FPWD
- [webappsec] ACTION REQUIRED: Call for Consensus on new WebAppSec WG Charter
- [webappsec] Call for Consensus: CSP 1.1 to FPWD
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: Trigger a DOM event/error when a CSP violation happens.
Thursday, 22 November 2012
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: Trigger a DOM event/error when a CSP violation happens.
- Re: RfR: CORS tests - deadline 6 December
Wednesday, 21 November 2012
- [webappsec] Teleconference Poll: time unchanged
- Re: RfR: CORS tests - deadline 6 December
- Re: [websec] Call for Consensus: CORS to Candidate Recommendation
- RE: A11y for Web App Sec Anti clickjacking spec
- RE: CORS test status
- RfR: CORS tests - deadline 6 December
- Re: CORS test status
- UI Safety Obstruction check and transforms
Tuesday, 20 November 2012
- Call for Exclusions: User Interface Safety Directives for Content Security Policy
- [webappsec] New draft charter for discussion
- Re: Restricting APIs in CSP
- Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- [webappsec] Agenda for Teleconference of Nov 20, 2012
- RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
Monday, 19 November 2012
- [webappsec] TPAC chatlog cleanup
- Re: how to protect javascript codes
- Re: how to protect javascript codes
Sunday, 18 November 2012
Saturday, 17 November 2012
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- Re: how to protect javascript codes
- Re: how to protect javascript codes
- Re: how to protect javascript codes
- RE: how to protect javascript codes
- Re: how to protect javascript codes
- how to protect javascript codes
Friday, 16 November 2012
- Re: Call for Consensus: CORS to Candidate Recommendation
- Re: Call for Consensus: CORS to Candidate Recommendation
Thursday, 15 November 2012
- Call for Consensus: CORS to Candidate Recommendation
- [webappsec] PLEASE RESPOND: poll for new teleconference time
Tuesday, 13 November 2012
Monday, 12 November 2012
Sunday, 11 November 2012
Friday, 9 November 2012
- [Bug 19920] New: Don't allow space-separated origins in the syntax
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
Thursday, 8 November 2012
- RE: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- webappsec-ISSUE-40 (X-XSS-Protection): Look at incorporating X-XSS-Protection functionality into CSP 1.1
- Re: [webappsec] subsume X-XSS-Protection into CSP 1.1?
- [webappsec] subsume X-XSS-Protection into CSP 1.1?
Wednesday, 7 November 2012
- Re: [webappsec] updated draft SVG: simple CORS request
- RE: [webappsec] updated draft SVG: simple CORS request
- Re: [webappsec] updated draft SVG: simple CORS request
Tuesday, 6 November 2012
Monday, 5 November 2012
- RE: Batching CSP violation reports.
- Re: Batching CSP violation reports.
- RE: Batching CSP violation reports.
- Re: Batching CSP violation reports.
- Re: Batching CSP violation reports.
- Batching CSP violation reports.
- [webappsec] call for reportURIs DOM API use cases
- [webappsec] Remote participation in IETF websec meeting
- Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- Re: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- RE: Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- Please fix! [Pub request: FPWD of User Interface Safety Directives for CSP]
- RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
- RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
- RE: ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
- RE: ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
- RE: ISSUE-26: Does the sandbox directive make sense in a meta tag context?
Sunday, 4 November 2012
- RE: ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context?
- RE: Script-nonce policies
Saturday, 3 November 2012
- Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
- Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
Friday, 2 November 2012
- Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
- Re: Script-nonce policies
- Re: ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
- Re: Script-nonce policies
- Re: Script-nonce policies
- Re: CSP, style-src, and what it means to ignore style attributes
- Re: Restricting APIs in CSP
- TPAC meeting adjourned
- Restricting APIs in CSP
- Re: CSP and inline styles
- ISSUE-39: Discuss CSP relevant use cases for possibly including Meta Referrer as a CSP directive
- Re: CSP and inline styles
- ISSUE-38: Discuss no-mixed-content further as a 1.1 experimental directive
- ISSUE-37: How to apply plugin-types in CSP 1.1 to iframes
- ISSUE-36: Are we interested in considering script-hash as a CSP 1.1 directive?
- CSP, style-src, and what it means to ignore style attributes
- ISSUE-35: Should we add an "httpOnly" like directive to CSP to indicate that the state of this policy is not available to the script APIs?
- ISSUE-34: Discuss use cases / risks of script access to CSP information, solicit specific public comment on this feature with FPWD
- ISSUE-33: Need to address blob, data, filesystem URL types with greater specificity in CSP 1.1 spec
- ISSUE-32: Do we specify that path-specificity applies only to hierarchical URI schemes?
- ISSUE-31: What specification's definition of URL/URI are we using for path parsing in CSP 1.1?
- ISSUE-30: How to address dynamic application of CSP post page load / partial page load via META or script interface
Thursday, 1 November 2012
- ISSUE-29: What are sane defaults for clipping with clipping or selectors?
- ISSUE-28: What specific attacks are prevented by OS screenshots, should this be recommended against generally?
- ISSUE-27: Implementation concern on how to enforce display-time : should we provide more advice on how to do this efficiently?
- ISSUE-26: Does the sandbox directive make sense in a meta tag context?
- ISSUE-25: Do frame-options directives (or other UISafety directives) make sense in a meta tag context?
- ISSUE-24: ();
- ISSUE-23: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block so event is not delivered
- ISSUE-22: Are there cases of synthetic UIEvents where it would be useful to set the unsafe attribute even if the policy is block (so event is not delivered)
- ISSUE-21: Do assistive technologies send real events or synthetic events?
- ISSUE-20: If browsers apply this heuristic without an explicit opt-in policy, should we always block and not have the unsafe UIEvent property
- updated test VM link
- Running a few min late
- TPAC schedule clarification